Address PR review: remove secrets, fix portability, harden code

PR Review Fixes (#139):

Security:
- Remove committed private key + certs from repo (GitGuardian finding)
- Add tests/fixtures/gen_test_certs.sh for ephemeral cert generation
- Add .gitignore rules for generated certs and Zone.Identifier files
- Fix docker-publish.sh: use --password-stdin for Nexus login (no -p flag)
- Fix basePath HTML injection: escape with html.EscapeString + json.Marshal

WebSocket:
- Filter hop-by-hop headers (Proxy-*, Connection, Keep-Alive, TE, Trailer,
  Transfer-Encoding) before forwarding to upstream (RFC 7230 §6.1)
- Ensure Host header is consistent with dialed upstream target

DNS Cache:
- Fix cache key collision: fall back to numeric qtype for unknown types
- Replace full cache clear with incremental eviction (expired first,
  then 10% random if still >90% capacity) to avoid latency spikes

Portability:
- Fix hardcoded 192.168.1.105 in proxy_concurrency_test.sh → 127.0.0.1
- Add NO_COLOR / ASCII_MODE env var support to both test scripts
  (see https://no-color.org/) for CI terminals without UTF-8/emoji
- Fix tests/setup_test.go: honor GS_ADMIN_PORT env (default 8080)
- Fix bonjour.go: use GS_ADMIN_PORT + GS_BASE_PATH instead of hardcoded 80
- Auto-generate test certs in testbed setup.sh and benchmark suite

Author: jbarwick

.gitignore

@@ -10,3 +10,13 @@ ui/dist/
 # Frontend build artifacts (generated by build.sh, embedded via //go:embed)
 application/webserver/frontend/files/*
 !application/webserver/frontend/files/.gitkeep
+
+# Ephemeral test certificates — generated by tests/fixtures/gen_test_certs.sh
+tests/fixtures/JVJCA.crt
+tests/fixtures/JVJCA.key
+tests/fixtures/httpbin.org.crt
+tests/fixtures/httpbin.org.key
+tests/fixtures/*:Zone.Identifier
+
+# Test run artifacts
+tests/proxy_benchmark_results.log

application/bonjour.go

@@ -2,19 +2,32 @@ package gatesentryf
 
 import (
 	"log"
-	// "os"
-	// "os/signal"
-	// "time"
+	"os"
+	"strconv"
 
 	"github.com/oleksandr/bonjour"
 )
 
 func StartBonjour() {
 	log.Println("Starting Bonjour service")
 
+	// Derive admin port from environment (same source of truth as main.go)
+	adminPort := 80
+	if envPort := os.Getenv("GS_ADMIN_PORT"); envPort != "" {
+		if p, err := strconv.Atoi(envPort); err == nil && p > 0 {
+			adminPort = p
+		}
+	}
+
+	// Derive base path for TXT record
+	basePath := os.Getenv("GS_BASE_PATH")
+	if basePath == "" {
+		basePath = "/"
+	}
+
 	// Advertise the web admin UI so browsers resolve http://gatesentry.local
 	go func() {
-		_, err := bonjour.Register("GateSentry", "_http._tcp", "", 80, []string{"txtv=1", "app=gatesentry", "path=/"}, nil)
+		_, err := bonjour.Register("GateSentry", "_http._tcp", "", adminPort, []string{"txtv=1", "app=gatesentry", "path=" + basePath}, nil)
 		if err != nil {
 			log.Println("[Bonjour] HTTP registration error:", err.Error())
 		}

application/dns/server/server.go

@@ -90,7 +90,12 @@ var (
 
 // dnsCacheKey builds a cache key from question name and type.
 func dnsCacheKey(qname string, qtype uint16) string {
-	return strings.ToLower(qname) + "/" + dns.TypeToString[qtype]
+	t := dns.TypeToString[qtype]
+	if t == "" {
+		// Fall back to numeric qtype for unknown/unsupported types to avoid key collisions.
+		return strings.ToLower(qname) + "/" + fmt.Sprint(qtype)
+	}
+	return strings.ToLower(qname) + "/" + t
 }
 
 // dnsCacheGet returns a cached response if it exists and hasn't expired.
@@ -164,10 +169,28 @@ func dnsCachePut(qname string, qtype uint16, msg *dns.Msg) {
 	key := dnsCacheKey(qname, qtype)
 
 	dnsCacheMu.Lock()
-	// Simple eviction: if cache is too large, clear it
+	// Incremental eviction: remove expired entries first, then oldest if still over limit
 	if len(dnsCache) >= dnsCacheMax {
-		log.Printf("[DNS Cache] Evicting %d entries (max %d reached)", len(dnsCache), dnsCacheMax)
-		dnsCache = make(map[string]*dnsCacheEntry)
+		now := time.Now()
+		expired := 0
+		for k, e := range dnsCache {
+			if now.After(e.expiresAt) {
+				delete(dnsCache, k)
+				expired++
+			}
+		}
+		// If still over 90% capacity after removing expired, evict 10% oldest
+		if len(dnsCache) >= dnsCacheMax*9/10 {
+			evictCount := dnsCacheMax / 10
+			for k := range dnsCache {
+				delete(dnsCache, k)
+				evictCount--
+				if evictCount <= 0 {
+					break
+				}
+			}
+		}
+		log.Printf("[DNS Cache] Evicted %d expired + trimmed to %d entries (max %d)", expired, len(dnsCache), dnsCacheMax)
 	}
 	dnsCache[key] = &dnsCacheEntry{
 		msg:       msg.Copy(),

application/webserver/frontend/frontend.go

@@ -2,6 +2,8 @@ package gatesentryWebserverFrontend
 
 import (
 	"embed"
+	"encoding/json"
+	"html"
 	"io/fs"
 	"log"
 	"net/http"
@@ -43,17 +45,18 @@ func GetIndexHtmlWithBasePath(basePath string) []byte {
 		return raw
 	}
 
-	html := string(raw)
+	htmlStr := string(raw)
 
-	// Build injection tags
-	baseHref := basePath + "/"
+	// Build injection tags — escape basePath for safe HTML/JS injection
+	baseHref := html.EscapeString(basePath + "/")
+	jsPath, _ := json.Marshal(basePath) // produces a safely-quoted JSON string
 	injection := `<base href="` + baseHref + `">` + "\n" +
-		`    <script>window.__GS_BASE_PATH__ = "` + basePath + `";</script>`
+		`    <script>window.__GS_BASE_PATH__ = ` + string(jsPath) + `;</script>`
 
 	// Inject after <head> or after first <meta> tag
-	html = strings.Replace(html, "<head>", "<head>\n    "+injection, 1)
+	htmlStr = strings.Replace(htmlStr, "<head>", "<head>\n    "+injection, 1)
 
-	return []byte(html)
+	return []byte(htmlStr)
 }
 
 func GetFileSystem(dir string, fsys fs.FS) http.FileSystem {

docker-publish.sh

@@ -149,7 +149,11 @@ if [[ "$TARGET" == "nexus" ]]; then
     fi
 
     echo "── Logging in to Nexus: ${REGISTRY} ─────────────────────────"
-    run docker login "${REGISTRY}" -u "${NEXUS_USERNAME}" -p "${NEXUS_PASSWORD}"
+    if [[ "$DRY_RUN" == true ]]; then
+        echo "[DRY RUN] echo <password> | docker login \"${REGISTRY}\" -u ${NEXUS_USERNAME} --password-stdin"
+    else
+        echo "${NEXUS_PASSWORD}" | docker login "${REGISTRY}" -u "${NEXUS_USERNAME}" --password-stdin
+    fi
 
 else
     # ── Docker Hub ──

gatesentryproxy/websocket.go

@@ -63,8 +63,27 @@ func HandleWebsocketConnection(r *http.Request, w http.ResponseWriter) {
 	// Reconstruct the HTTP request line and headers.
 	reqURI := r.URL.RequestURI()
 	fmt.Fprintf(serverConn, "%s %s HTTP/1.1\r\n", r.Method, reqURI)
-	fmt.Fprintf(serverConn, "Host: %s\r\n", r.Host)
+
+	// Use the determined upstream host for the Host header
+	upstreamHost := r.Host
+	if upstreamHost == "" {
+		upstreamHost = host // fallback to the dialed host
+	}
+	fmt.Fprintf(serverConn, "Host: %s\r\n", upstreamHost)
+
 	for key, values := range r.Header {
+		// Filter out hop-by-hop and proxy-only headers (RFC 7230 §6.1)
+		keyLower := strings.ToLower(key)
+		if keyLower == "host" ||
+			keyLower == "connection" ||
+			keyLower == "keep-alive" ||
+			keyLower == "te" ||
+			keyLower == "trailer" ||
+			keyLower == "transfer-encoding" ||
+			keyLower == "proxy-connection" ||
+			strings.HasPrefix(keyLower, "proxy-") {
+			continue
+		}
 		for _, v := range values {
 			fmt.Fprintf(serverConn, "%s: %s\r\n", key, v)
 		}

tests/fixtures/gen_test_certs.sh

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+###############################################################################
+# Generate ephemeral CA + server certificates for GateSentry test bed.
+#
+# Creates:
+#   JVJCA.crt / JVJCA.key           — self-signed CA (internal-ca)
+#   httpbin.org.crt / httpbin.org.key — server cert signed by the CA
+#
+# All certs are written to the same directory as this script (tests/fixtures/).
+# They are listed in .gitignore and must NOT be committed.
+#
+# Usage:
+#   bash tests/fixtures/gen_test_certs.sh           # generate once
+#   bash tests/fixtures/gen_test_certs.sh --force   # regenerate even if exist
+###############################################################################
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CA_KEY="${SCRIPT_DIR}/JVJCA.key"
+CA_CERT="${SCRIPT_DIR}/JVJCA.crt"
+SERVER_KEY="${SCRIPT_DIR}/httpbin.org.key"
+SERVER_CERT="${SCRIPT_DIR}/httpbin.org.crt"
+DAYS_VALID=365
+
+FORCE=false
+[[ "${1:-}" == "--force" ]] && FORCE=true
+
+# Skip if certs already exist (unless --force)
+if [[ "$FORCE" == false && -f "$CA_CERT" && -f "$SERVER_CERT" && -f "$SERVER_KEY" ]]; then
+    echo "[gen_test_certs] Certificates already exist — skipping (use --force to regenerate)"
+    exit 0
+fi
+
+echo "[gen_test_certs] Generating ephemeral test certificates in ${SCRIPT_DIR}/"
+
+# ── 1. CA key + self-signed cert ────────────────────────────────────────────
+openssl genrsa -out "$CA_KEY" 2048 2>/dev/null
+
+openssl req -new -x509 \
+    -key "$CA_KEY" \
+    -out "$CA_CERT" \
+    -days "$DAYS_VALID" \
+    -subj "/CN=internal-ca/C=SG/L=Singapore/O=JVJ 28 Inc." \
+    2>/dev/null
+
+echo "[gen_test_certs] CA certificate:  ${CA_CERT}"
+
+# ── 2. Server key + CSR + CA-signed cert ────────────────────────────────────
+openssl genrsa -out "$SERVER_KEY" 2048 2>/dev/null
+
+openssl req -new \
+    -key "$SERVER_KEY" \
+    -out "${SCRIPT_DIR}/httpbin.org.csr" \
+    -subj "/CN=httpbin.org/C=SG/L=Singapore/O=JVJ 28 Inc." \
+    2>/dev/null
+
+# SAN extension for httpbin.org + localhost
+cat > "${SCRIPT_DIR}/_san.cnf" <<EOF
+[v3_req]
+subjectAltName = DNS:httpbin.org, DNS:localhost, IP:127.0.0.1
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+EOF
+
+openssl x509 -req \
+    -in "${SCRIPT_DIR}/httpbin.org.csr" \
+    -CA "$CA_CERT" \
+    -CAkey "$CA_KEY" \
+    -CAcreateserial \
+    -out "$SERVER_CERT" \
+    -days "$DAYS_VALID" \
+    -extensions v3_req \
+    -extfile "${SCRIPT_DIR}/_san.cnf" \
+    2>/dev/null
+
+echo "[gen_test_certs] Server certificate: ${SERVER_CERT}"
+
+# ── Cleanup temp files ──────────────────────────────────────────────────────
+rm -f "${SCRIPT_DIR}/httpbin.org.csr" "${SCRIPT_DIR}/_san.cnf" "${SCRIPT_DIR}/JVJCA.srl"
+
+echo "[gen_test_certs] Done — certificates valid for ${DAYS_VALID} days"

tests/proxy_benchmark_suite.sh

@@ -34,13 +34,17 @@
 #   all subsequent results.  We WANT to see every failure.
 set -uo pipefail
 
-# ── Colours ─────────────────────────────────────────────────────────────────
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-CYAN='\033[0;36m'
-BOLD='\033[1m'
-NC='\033[0m' # No Colour
+# ── Colours (respect NO_COLOR — see https://no-color.org/) ─────────────────
+if [[ -n "${NO_COLOR:-}" || "${ASCII_MODE:-}" == "1" ]]; then
+    RED=''; GREEN=''; YELLOW=''; CYAN=''; BOLD=''; NC=''
+else
+    RED='\033[0;31m'
+    GREEN='\033[0;32m'
+    YELLOW='\033[1;33m'
+    CYAN='\033[0;36m'
+    BOLD='\033[1m'
+    NC='\033[0m' # No Colour
+fi
 
 # ── Defaults ────────────────────────────────────────────────────────────────
 DNS_PORT="${DNS_PORT:-10053}"
@@ -64,6 +68,13 @@ ECHO_SERVER="http://127.0.0.1:9998"         # Python echo server (direct)
 TESTBED_FILES="${TESTBED_HTTP}/files"        # Static test files (1MB, 10MB, 100MB)
 CA_CERT="${CA_CERT:-$(cd "$(dirname "$0")" && pwd)/fixtures/JVJCA.crt}"  # Internal CA
 
+# Auto-generate test certs if they don't exist
+FIXTURES_DIR="$(cd "$(dirname "$0")" && pwd)/fixtures"
+if [[ ! -f "$CA_CERT" && -f "${FIXTURES_DIR}/gen_test_certs.sh" ]]; then
+    echo "  INFO  Generating ephemeral test certificates..."
+    bash "${FIXTURES_DIR}/gen_test_certs.sh"
+fi
+
 # ── Counters ────────────────────────────────────────────────────────────────
 PASS=0
 FAIL=0
@@ -91,30 +102,37 @@ log_section() {
     echo -e "${BOLD}── $1 ──${NC}"
 }
 
+# Glyph selection (ASCII fallbacks for CI/non-UTF8 terminals)
+if [[ -n "${NO_COLOR:-}" || "${ASCII_MODE:-}" == "1" ]]; then
+    _G_PASS='[PASS]'; _G_FAIL='[FAIL]'; _G_KNOWN='[KNOWN]'; _G_SKIP='[SKIP]'; _G_ARROW='->'
+else
+    _G_PASS='✓ PASS'; _G_FAIL='✗ FAIL'; _G_KNOWN='⚠ KNOWN'; _G_SKIP='⊘ SKIP'; _G_ARROW='↳'
+fi
+
 pass() {
     ((TOTAL++)) || true
     ((PASS++)) || true
-    echo -e "  ${GREEN}✓ PASS${NC}  $1"
+    echo -e "  ${GREEN}${_G_PASS}${NC}  $1"
 }
 
 fail() {
     ((TOTAL++)) || true
     ((FAIL++)) || true
-    echo -e "  ${RED}✗ FAIL${NC}  $1"
-    [[ -n "${2:-}" ]] && echo -e "         ${RED}↳ $2${NC}"
+    echo -e "  ${RED}${_G_FAIL}${NC}  $1"
+    [[ -n "${2:-}" ]] && echo -e "         ${RED}${_G_ARROW} $2${NC}"
 }
 
 known_issue() {
     ((TOTAL++)) || true
     ((KNOWN++)) || true
-    echo -e "  ${YELLOW}⚠ KNOWN${NC} $1"
-    [[ -n "${2:-}" ]] && echo -e "         ${YELLOW}↳ $2${NC}"
+    echo -e "  ${YELLOW}${_G_KNOWN}${NC} $1"
+    [[ -n "${2:-}" ]] && echo -e "         ${YELLOW}${_G_ARROW} $2${NC}"
 }
 
 skip_test() {
     ((TOTAL++)) || true
     ((SKIP++)) || true
-    echo -e "  ${CYAN}⊘ SKIP${NC}  $1"
+    echo -e "  ${CYAN}${_G_SKIP}${NC}  $1"
 }
 
 verbose() {

tests/proxy_concurrency_test.sh

@@ -20,23 +20,29 @@
 set -euo pipefail
 
 # ── Configuration ────────────────────────────────────────────────────────────
-PROXY_HOST="${PROXY_HOST:-192.168.1.105}"
+PROXY_HOST="${PROXY_HOST:-127.0.0.1}"
 PROXY_PORT="${PROXY_PORT:-10413}"
-ECHO_SERVER="${ECHO_SERVER:-http://192.168.1.105:9998}"
-TESTBED_HTTP="${TESTBED_HTTP:-http://192.168.1.105:9999}"
+ECHO_SERVER="${ECHO_SERVER:-http://127.0.0.1:9998}"
+TESTBED_HTTP="${TESTBED_HTTP:-http://127.0.0.1:9999}"
 CURL_TIMEOUT=10
 
-# Colours
-RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'
-CYAN='\033[0;36m'; NC='\033[0m'; BOLD='\033[1m'
+# Colours (respect NO_COLOR — see https://no-color.org/)
+if [[ -n "${NO_COLOR:-}" || "${ASCII_MODE:-}" == "1" ]]; then
+    RED=''; GREEN=''; YELLOW=''; CYAN=''; NC=''; BOLD=''
+    _PASS='PASS'; _FAIL='FAIL'; _WARN='WARN'; _ARROW='->';
+else
+    RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'
+    CYAN='\033[0;36m'; NC='\033[0m'; BOLD='\033[1m'
+    _PASS='✅ PASS'; _FAIL='❌ FAIL'; _WARN='⚠️  WARN'; _ARROW='↳';
+fi
 
 PASS_COUNT=0; FAIL_COUNT=0; WARN_COUNT=0
 
-pass()  { ((PASS_COUNT++)) || true; echo -e "  ${GREEN}✅ PASS${NC}  $1"; }
-fail()  { ((FAIL_COUNT++)) || true; echo -e "  ${RED}❌ FAIL${NC}  $1"; [[ -n "${2:-}" ]] && echo -e "         ${YELLOW}↳ $2${NC}"; }
-warn()  { ((WARN_COUNT++)) || true; echo -e "  ${YELLOW}⚠️  WARN${NC}  $1"; [[ -n "${2:-}" ]] && echo -e "         ${YELLOW}↳ $2${NC}"; }
-log_header()  { echo -e "\n${BOLD}${CYAN}═══ $1 ═══${NC}"; }
-log_section() { echo -e "\n${BOLD}── $1${NC}"; }
+pass()  { ((PASS_COUNT++)) || true; echo -e "  ${GREEN}${_PASS}${NC}  $1"; }
+fail()  { ((FAIL_COUNT++)) || true; echo -e "  ${RED}${_FAIL}${NC}  $1"; [[ -n "${2:-}" ]] && echo -e "         ${YELLOW}${_ARROW} $2${NC}"; }
+warn()  { ((WARN_COUNT++)) || true; echo -e "  ${YELLOW}${_WARN}${NC}  $1"; [[ -n "${2:-}" ]] && echo -e "         ${YELLOW}${_ARROW} $2${NC}"; }
+log_header()  { echo -e "\n${BOLD}${CYAN}=== $1 ===${NC}"; }
+log_section() { echo -e "\n${BOLD}-- $1${NC}"; }
 
 gscurl() { curl --proxy "http://${PROXY_HOST}:${PROXY_PORT}" --max-time "$CURL_TIMEOUT" "$@"; }